A computationally-efficient construction for the matrix-based key distribution in 
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Abstract 

This paper introduces a variant for the symmetric 
matrix-based key distribution in sensor network introduced 
by Du et al. Our slight modification shows that the usage 
of specific structures for the public matrix instead of fully 
random matrix with elements in "Lq can reduce the compu- 
tation overhead for generating the public key information 
and the key itself. An intensive analysis followed by mod- 
ified scheme demonstrates the value of our contribution in 
relation with the current work and show the equivalence of 
the security 



1. Introduction 

Key pre-distribution (KPD) is a challenging issue in de- 
ploying the symmetric key cryptography for wireless sensor 
network (WSN). In the KPD, a set of keys or keying mate- 
rial is assigned to each node to ensure a secure communi- 
cation between the nodes in the real time manner Due to 
the absence of the infrastructure, traditional KPD methods 
such like the key distribution center (KDC), where a cen- 
tralized authority for key distribution exists, are discarded 
and considered infeasible. 

To solve the above problem, several works and schemes 
have been introduced. These schemes range from the graph- 
based cryptographic keys assignment such like the works 
in m |5] |2l to the more sophisticated online key generation 
schemes such like works in |[3]|6][lll2l- In this paper, we 
review of these schemes and provide a construction on it to 
reduce its usage of resources while maintaining the same 
level of security. The revisited scheme is DDHV in intro- 
duced by Du et al. in 131 

We mainly introduce a construction based on the 
DDHV scheme to reduce the used computation overhead 
with a small additional communication overhead. Our main 
contributions are summarized as follows: (1) We intro- 



duce a special construction that reduces the computation 
overhead with a small additional communication overhead. 
(2) We show a concrete evaluation for the soundness of 
the scheme, the security achieved and the resources eval- 
uation. (3) To show a comparison between the modified 
DDHVscheme and the original work. 

The rest of this paper is organized as follows: section 
|2] introduces an overview of DDHV scheme followed by 
our scheme in section [3j section |4] introduces the analysis 
of both schemes where we show the overhead evaluation 
in terms of communication, computation and memory fol- 
lowed by the security analysis. Finally, section |5] draws a 
concluding remarks. 

2. DDHV scheme 

The DDHV scheme in fSl utilizes Blom's scheme in |[T] 
with Eschenauer and Gligor's random key assignment con- 
cept in m. Roughly speaking, both DDHV and Blom's 
schemes are based on the symmetry concept of matrices to 
provide symmetric pairwise keys for the pairs of communi- 
cating nodes. DDHV scheme differs in that it utilizes mul- 
tiple spaces for generating the key. In this paper, we will 
explain the discuss the symmetric matrix-based component 
of DDHVas our modification is only related to that part. 

Naively, a symmetric matrix of size N x N can be used 
for storing the different N"^ keys used for securing commu- 
nication within the entire network of size where each 
node Si can have a row in that matrix. If two nodes Si 
and Sj would like to communicate securely, they use the 
corresponding elements for encrypting and decrypting the 
communication traffic symmetrically. That is, Eij is used 
in Sj's side and Eji is used in Sj's side where both are 
equal according to the symmetry of the main matrix. To 
reduce the memory requirements, a linear algebraic -based 
construction is introduced where the size of the square ma- 
trix is reduced into A <C iV. In Blom (and therefore in 
DDHV) scheme 111, the following are defined: a public ma- 



trix G of size (A + 1) x iV and a private symmetric matrix 
D of size (A + 1) X (A + 1) where elements of G and D 
are randomly generated in the finite field Zg. Also, a matrix 
A is defined and computed as A = (DG)^ which is of 
size TV X (A + 1). For any node Si, the corresponding row 
Ar{i) from A and the corresponding column Gc{i) from 
G are selected and loaded in the node's memory. When Si 
and Sj need to communicate securely, they exchange Gc{i) 
and Gc{j) respectively and then fcy = A.r{i) x Gc{j) is 
computed in the side of Si and kji = Ar{j) x Gc{i) is 
computed in the side of sj. Obviously, the resulting keys 
are equal due to the symmetry property of the matrix D. 

To reduce the communication overhead, the DDHV 
scheme introduced the a construction of G based on Van- 
dermonde matrix which can be represented as in ([TJ where 
each node stores the corresponding field element in the ma- 
trix and generate the whole column from that value. Ob- 
viously, to construct corresponding column from the given 
value, A number of multiplications over Zq are required. 
Similarly, to generate the key by multiplying A^ by G^, 
another A number of multiplications over Zq is required. 



(1) 



3. Modified Scheme (OR-DDHV) 

Our modification for the above DDHV scheme relies in 
reducing the computation overhead with a slight increment 
in the used communication overhead while maintaining the 
same security level. That is, we re-design the public matrix 
G in such a way that maximize the number of zeros leading 
to that the inner multiplications used for generating the key 
are made as few as possible. Also, when several elements 
are set to zero in the matrix G, additional overhead required 
for reconstructing the public information when exchanging 
it will be discarded. 

Let the matrix (|2]l represents G^ in which each row 
has only two nonzero values. According to the above 
DDHV scheme, each node has a column in G represented 
by two non-zero values. Based on the G^, we define the 
ofline and online phases in the following sections. 
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3.1. Offline Phase 

1 . The administrator generates a symmetric matrix D of 
size A X A with elements in and the public matrix 
G of size \ x N with elements in Z, where G satisfies 
the above restrictions. 

2. The administrator computes A = G^D. The resulting 
A is of size N x \ and therefore its elements are in Zq. 

3. For each node s;, the administrator assigns the row 
with index i from the matrix A (e.g., Ar{i)) and col- 
umn with index i from the matrix G (i.e., Gc{i))- 

3.2. Online phase 

The online phase consists of the following steps: 

1. Firstly, two nodes Si and Sj exchange their pub- 
lic columns Gc{i) and Gc{i) which can be repre- 
sented as two non-zero values in Zg and denoted as 

2. In a vector Gc{j) with zero elements, the node Si sets 
the received gu and g2j from the node Sj with the iden- 
tifier j into following positions in Gc(j): 

Gc{j)[j modA]^5ij. 
G,(j)[(i + 1) mod A] ^52,. 

3. Similarly, the node sj reconstruct Gc{i) by plugging 
the received values gu, g2i in the following positions: 

Gc{i)[i mod A] gu 
Gc{i)[{i + 1) mod A] ^ g2i 



4. The node Si computes kij ~ Ar{i)Gc{j)- 

5. The node Sj computes kji = Ar{j)Gc{i)- 

4. Analysis 

4.1. Limitations on the Network Size 

(2) 

The maximum supported network size in our scheme is 
merely dependent on the parameters N and A. In order to 
avoid a possible collision and maintain the vectors of G 
independent, maximum network size is set to = 2 x A. 



4.2. Equivalence of keys 



4.3. Resources overhead 



We can simply show that the generated key are equal. 
That is equivalent to showing that if D symmetric then 
B = G^DG is also symmetric and therefore the resulting 
keys are equal at both sides of Si and Sj . To show the sym- 
metry of B, it is enough to demonstrate that B = B-'^. That 
is, B^ = (G^AG)^ = G^ (G^A)^ = G^A^G = 
G^A^G = B. Since both fcy and kji are elements in B 
which is symmetric, both keys are equal. 

Let Gij , dij and gij be the elements in the matrices 
A, D and G respectively. Also, let A = (DG)-^. From 
which we would like to show that /cy = Ar{i)Gc{j) and 
kji = Ar{j)Gc{i) are equal. 

Proof. 

We can write a,y with corresponding to its multipliers 
as follows:a,, 



(I]fe=i dtk9ki) 

From which we can write Ar{i) = [oii, a2i, . . . ] = 
Efc=i^ifc5fc»,Efc=i^2fc.9fc<,--- and Gc{j) = 

{9i3,92j, ■■■ )]■ The resulting of Ar{i) x Gc{j) can 
be written as follows: 



Ar{i)Gc{j) = ^ ^dikQki gij 



(3) 



1=1 \k=i 



Similarly, we can show that Ar{j)Gc{i) = 
J2i=iiJ2k=i^ik9kj)9u- Now, we would like to check 
whether Ar{j)Gc{i) = Ar{i)Gc{j) for any i ^ j. That is, 
we would like to show the following equality. 



'^l^9k^ 9ij = J2(J2'^' 



lk9kj 9li 



(4) 



;=i \k=i 



1=1 \k=i 



By Taking the right side in ^ and change the index of 

the summations we get the that: Y.f=iiY.k=i dik9kj)9u = 

Hk=i{Hi=i dki9ii)9ki = Z]fe=i(Z]i=i dik9ii)9ki- 

Because D is symmetric, gu = gu, therefore the above 

can be rewritten as: Ya=i dn9ij9u + ELi di29ij92i + 
• • • = {diigijgii + d21.g2i.9ij: + dzigzj9ii + • • ■ ) + 

{dl29l]92i + d2292j92i + d32 933 92i + ...) + (<il3,9lj.93i + 

d2392]93i + d3393j93i + ...) + •••■ resuming and ar- 
ranging the terms we get the following: 



9i] Y^ dik9ki + 92] Y, d2k9ki + ■ ■ ■ 

k=l k=l 
A A A / A \ 

1=1 k=l 1=1 \k=l ) 



• Communication overliead: The communication in 
the OR-DDHV scheme is 21og2 2* = 2 x g while it 
is q bits in the DDHV scheme when transferring a sin- 
gle field value from which the corresponding column 
in A is generated. 

• Computation overliead: The computation overhead 
in DDHV and OR-DDHV is two parts. First the first 
part is required for reconstructing the public informa- 
tion from the field element and the second part is re- 
quired for computing the inner product to generate the 
symmetric key. 

- Column's reconstruction computation: The 

computation required in OR-DDHV scheme to 
reconstruct the corresponding column is negli- 
gible while it is A number of multiplications in 
the field in DDHV scheme. That is, when 
A is large, the number of computations over q 
will be also large. To illustrate how the recon- 
struction works for the case of DDHV scheme, 
given s*, any element in the column is the result 
of multiplying the two previous elements. That 



is, s* = 1 X s', (s') 



i\2 



X and so on. 



From Q and (|5]l, we get that (|4]i holds. 



□ 



- Computation for inner product: The compu- 
tation for the inner product between the column 
from G and the row from A to obtain the sym- 
metric key is 2 multiplications in our scheme 
since only two values are non-zero in G's cor- 
responding column. On contrast, A number of 
multiplications in the field are required in the 
case of DDHV scheme. 

To sum up, the required computation overhead in term 
of multiplications in Zg is 2 multiplications for OR- 
DDHV and 2A multiplications for DDHV. 

• Memory overhead: For simplicity, we consider that 
the required memory is only for storing the corre- 
sponding row in A for the node in its memory. Re- 
calling that the elements of A are in Zg and the length 
of each row in A is A elements, the required memory 
in OR-DDHV is same like the required memory in 
DDHV which is equal to A x g bit. 

A summary of the comparison in terms of the required 
resources is shown in Table[T] Note that though the commu- 
nication overhead in OR-DDHV is higher than in DDHV , 
it is still constant since q is fixed to accumulate the proper 
length of key. On contrast, the computation in the OR- 
DDHV is constant while it increase linearly according to 
the security parameter A in DDHV. 



Table 1. Comparison between DDHV and OR- 
DDHV in term of the used resources where 
communication and memory are in bit per 
node and computation is in term of multipli- 
cations in the finite field Z,. 



resulting linear construction in A. In DDHVscheme, how- 
ever, all variables (represent by the different d's) appear in 
each equation rather than the two variables in each as shown 
above. 

5 Conclusion 
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4.4 Security Analysis 

The security analysis follows the analysis shown in 
DDHV or Blom work. That is, the system is A-secure which 
leads to that an adversary needs to know A number of dif- 
ferent linearly independent elements (i.e., rows or columns) 
from the key generation construction to be able to know 
the keys between uncompromised nodes. Recall G in (|2]), 
A, and D defined above. Also recall that Qij and dij are 
the elements of A and D respectively. Now we can 
define Ar{i) as Ar{i) ~ [ an ai2 ... aix ] where 



a 



{j2k=i dikgkij = {j2k=i dtkgkij ■ The above A 



can be rewritten as: 



(pilrfll + 5l2(i2l) 
(.922^21 + g2zd'il) 



{giidi2 

(.g22C?22 



512^22) 
.923 '^32) 



(6) 



An adversary who would like to attack the above system 
must first reconstruct the proper D. Since D is in Z^^^, 
A^ number of linear equations are required for reconstruct- 
ing it. That is, given that G, the systematic structure of A 
and G, and the symmetric property of D is publicly known 
information to the adversary, the adversary can obtain A 
different linear equations by attacking a single node and 
reconstructing the different equations representing the row 
Ar{i). By attacking the nodes with the ID 1, the attacker 
will have the followingian = giidu + ,9i2C?2i, 0.12 = 

.911^12 + 312^22, 013 = gildl3 + 5121^23, 

By repeating the physical attack to A different nodes, the 
adversary can construct A^ linear equation with A^ variables 
that can be solved to recover the whole private matrix D 
and construct any pairwise key between any pair of uncom- 
promised nodes by just observing their public information. 
Note that the existence of multiple zeros in the G will not 
reduce the hardness of solving the above linear system since 
the different elements of the matrix D always exist in the 



This paper introduced a variant for DDHV work. We 
demonstrated that the usage of the orthogonal matrix in- 
stead of fully random matrix with elements in Zq will lead 
to a great reduction in the overhead represented by the com- 
putation required for generating the public key material and 
the key itself. 
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